Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vimax ads, no updates, Windows Tools not working


  • Please log in to reply
12 replies to this topic

#1 DMC27

DMC27

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bangkok, Thailand
  • Local time:05:30 PM

Posted 29 January 2009 - 06:52 AM

Hello, I'm hoping someone here can help me. I'm new to these forums so I hope I'm posting in the correct place. Here's my problem, a couple of weeks ago I started noticing Vimax ads on almost every site I visited. After reading a little about them I took the advice to download and run Malwarebytes. It said it had found and removed a few infected files but the ads still persist. I see the ads in both Internet Explorer and Firefox. In the last few days I've also noticed a number of other issues, these include: Windows tools (check disk and defragmenter mainly) will not work on either C or D drive nor on my external drive. Ad-aware will not update, Norton 360 (subscription just ran out today) wasn't updating right for about a week, I cannot get Windows Update to even open the website and my computer runs slower and does strange things like a blue screen will pop up at times and the computer will shut down on its own.
I don't have very much knowledge when it comes to computers so I was hoping that someone could talk me through this. I have an Acer Aspire 5670, Windows XP Professional version 5.1 build 2600 SP2, IE 7.0
I don't know what other information is necessary but let me know and I'll pass it along. Thanks in advance for any and all help in this matter.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:30 AM

Posted 29 January 2009 - 09:42 AM

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format:
      mbam-log-2009-01-12(13-35-16).txt <- your dates will be different from this example
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
Please download hosts.zip and save it to your Desktop.Note: You may have to overwrite the hosts file in "Safe Mode" if you get "an access denied message" when trying to do it in normal mode.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform the above instructions in normal mode.

Then please download and install SpywareBlaster.

Edited by quietman7, 29 January 2009 - 09:44 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DMC27

DMC27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bangkok, Thailand
  • Local time:05:30 PM

Posted 31 January 2009 - 12:04 AM

Thanks for helping me. I've downloaded all that you told me to and extracted hosts.zip but when I tried to download Superantispyware I began having the same problem as I do when trying to update Ad-aware SE, I get a message reading "Internet Explorer cannot display the web page." So I downloaded it from Cnet and installed as you said. However, the update does not work--just says there was an error in the connection. I even turned off Windows firewall and tried but no luck. Should I continue your instructions without the updates? I'll wait for your reply. Thanks again for the help, here are the results of my MBAM scan:
Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 2

1/20/2009 5:32:45 PM
mbam-log-2009-01-20 (17-32-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 115803
Time elapsed: 18 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Start Menu\Programs\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\videoplay\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Start Menu\Programs\videoplay\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\system32\vcmgcd32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\logo1_.exe (Worm.Viking) -> Delete on reboot.


Malwarebytes' Anti-Malware 1.33
Database version: 1701
Windows 5.1.2600 Service Pack 2

1/29/2009 6:28:09 AM
mbam-log-2009-01-29 (06-28-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 120673
Time elapsed: 22 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Real Alternative\settings.exe (Rogue.Netcom3) -> Quarantined and deleted successfully.
C:\Program Files\Real Alternative\mpclauncher.exe (Rogue.Netcom3) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:30 AM

Posted 31 January 2009 - 08:05 AM

Your MBAM log indicates you are using an older database.

You can manually download the updates from another computer, save to a usb stick or CD, then transfer to the infected computer and double-click on mbam-rules.exe to install.

alternate rules.ref download link 1.
alternate rules.ref download link 2.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current definitions is to update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

Edited by quietman7, 31 January 2009 - 08:10 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 DMC27

DMC27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bangkok, Thailand
  • Local time:05:30 PM

Posted 31 January 2009 - 10:36 AM

Thanks again quietman7, I appreciate you helping me with this. The Vimax ads no longer appear. I updated MBAM and ran it again. No infections found. I still can't update Windows, ad-aware or superantispyware. Also something new, when I turn the computer on I get a blue screen that says Checkdisk can't check RAW file system. When I check my C and D drives in properties it says they are FAT32, strange thing is I thought they were originally NTFS systems. Anyway, here is my last MBAM log:
Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 2

1/31/2009 9:59:13 PM
mbam-log-2009-01-31 (21-59-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 110605
Time elapsed: 17 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What should I try next??? Please help, starting to lose my mind.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:30 AM

Posted 31 January 2009 - 12:16 PM

Before continuing with your program update problems, you need to investigate further the issues with CHKDSK. From what you describe, that may be related to a more serious matter that needs to be addresse.

To check what file system you have, go to Start > Control Panel > Administrative Tools > Computer Management and click on Disk Management or go to Start > Run and type: diskmgmt.msc
press Ok.

A Raw file system is a disk partition that has not been formatted with an NT file system (FAT or NTFS). From what I have read, this is often cause by a damaged volume which may look like it lost its file system and therefore CHKDSK cannot run.I have also read this can be caused by a damaged boot sector which you may be able to repair with TestDisk.

Also see Check Disk - Disk Checking Runs Upon Boot.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DMC27

DMC27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bangkok, Thailand
  • Local time:05:30 PM

Posted 31 January 2009 - 10:02 PM

Well, I tried to check my system but I kept getting access denied using both methods. I then logged off and logged back on as administrator but still received the same messages. I then right clicked and went through 'run as...' and was able to get in. It says that both C and D are FAT32 systems. I followed the instructions under Check Disk-Disk Checking Runs Upon Reboot and my results were as follows: Volume -- c: is dirty Voume -- d: is NOT dirty
What does this mean? What's my next step? I've downloaded TestDisk, should I go ahead and install and run? Thanks

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:30 AM

Posted 01 February 2009 - 08:35 AM

Volumes with file system errors are known as "dirty volumes" and you have to run Chkdsk on the volume to repair the errors. The dirty flag on a NTFS volume usually means that the file system is in an inconsistent state due to:
  • The volume is online and has outstanding changes.
  • Changes were made to the volume and the computer was shut down before the changes were committed to the disk (crash).
  • Corruption was detected on the volume.
  • Power loss during a read-right operation on that particular drive.
When booting your computer, autochk.exe (a version of Chkdsk that runs only before the machine starts) is called by the Kernel to scan all volumes to check if the volume dirty bit is set. If the dirty bit is set, autochk performs an immediate chkdsk /f on that volume, verifies file system integrity and attempts to fix any problems with the volume.

When the computer is restarted, Chkdsk runs at startup to verify the consistency of the volume.

For more detailed information, read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 DMC27

DMC27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bangkok, Thailand
  • Local time:05:30 PM

Posted 03 February 2009 - 04:23 AM

Hi, sorry for the delay I live in Thailand and some times my internet will go off for a peroiod of time. It seems to be back up now. I read the links you posted but I'm unclear as to what I should do next. Things are getting progressively worse, now none of my programs will update and my homepage is always changed to lookanddiscover.com. The checkdisk comes on every time still but says it can't run. What do you suggest I try doing?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:30 AM

Posted 03 February 2009 - 12:20 PM

I have asked another expert to take a look at your Chkdsk and dirty volume issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:30 AM

Posted 03 February 2009 - 12:36 PM

Generally the only "fix" for a dirty volume is chkdsk with a repair option (such as chkdsk /r).
In the event that chkdsk /r doesn't clear the dirty bit, your only recourse is to format the drive.

Does the file system still show up as RAW?
Can you boot to the Recovery Console and run chkdsk /r from there?
If you can't get into the Recovery Console, here's a link on how to do it: http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/
If you don't have a disk to use, try the one (fpr XP) listed at this link: http://www.bleepingcomputer.com/blogs/usas...?showentry=1261
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#12 DMC27

DMC27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Bangkok, Thailand
  • Local time:05:30 PM

Posted 11 February 2009 - 09:27 AM

Hello, thanks for helping me out. Sorry for the delay but I've done recovery console check disk and it said it had made some repairs. However, when I booted back up in regular mode it tried to run autochkdsk but it again said that I had a RAW system. What should I try next? Thanks for all your help.

#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:30 AM

Posted 12 February 2009 - 08:29 AM

I'd suggest running a diagnostic from the hard drive manufacturer on the hard drive. Links to the most common ones are here: http://www.bleepingcomputer.com/forums/t/28744/hard-drive-installation-and-diagnostic-tools/

If your hard drive passes that Long/Extended test, then the problem is likely with the file system on the hard drive (and the NTFS dirty bit tends to confirm this). In that case, you'll have to do a full format of the hard drive and then reinstall Windows in order to see an improvement.

PS - I'm moving this over to the Windows XP forums as it's becoming obvious that this isn't a malware problem.

Edited by usasma, 12 February 2009 - 08:30 AM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users