Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fake homepage verizon/yahoo?


  • Please log in to reply
14 replies to this topic

#1 mikemak

mikemak

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 06 April 2009 - 02:25 PM

I have a compaq 1.60 2gb vista laptop.This morning my daughter turned on her laptop(acer 1.60 1gb xp) opened verizon homepage and got a warning from avira about a virus,we clicked to deny access.Right away I turned mine on ,opened homepage and got the same warning from avira and took the same action.I closed and opened the page again,got the same warning(which I didnt save,sorry)and also noticed in the address bar at the top of IE there was a little blue square icon beside the address,this would normally be a yahoo icon.So I checked the acer laptop and it had the yahoo icon on the homepage.I went to IE options and deleted my remember homepage,googled verizon/yahoo,clicked on link and sure enough the page was correct again as in the yahoo symbol had replace the little blue square.As I typed this I have just noticed the symbol beside the address bar on my homepage is the same symbol thats in the bleeping computer address bar right now.This is strange.Is this the symbol that should be beside this sites address?if so how is it beside my homepage?Our laptops share the network but are not connected to share info at all.Well I thought I may have had a virus or redirect but now im not sure.Both laptops are always scanned using SAS,avira,malwarebytes,atf cleaner.any thoughts?Should I run any other scans to be sure?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:18 AM

Posted 06 April 2009 - 09:14 PM

If you are using a router, be sure to disconnect from the net, do a hard reset, and give it a strong password.

Update mbam and run a FULL scan
Please post the results
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 07 April 2009 - 08:18 AM

hi,I ran mbam(updated)as I do about every 5 days.shows nothing.I am not sure of the icon beside the address bar but the alert from avira everytime we log on to verizon/yahoo I think is coming from a target ad running on thier page.When they change the ad I dont get the warning from AV,tried it now 10 times.Like I said I have run updated scans of SAS,malwarebytes,avira.Not sure whats going on with the address bar but it hasnt done it again.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:18 AM

Posted 07 April 2009 - 06:01 PM

Let's see if this shows anything
How about including a screenshot if it happens again
It just might be a false positive

-------------------------------

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 07 April 2009 - 09:16 PM

hi,well now I know I am infected.Been having random hangs,then the verizon thing,now I just checked my c/drive and notice a admin~ account added.This is while I was logged on as such,so it showed an extra one that said "admin~".I deleted it and changed my password.Just did full scan with SAS and it found "trace.known threat sources"in temp files.
virusremover 2009 jpg. is what it says.I have seen this threat and removed it before.Also while SAS was scanning I watched it and saw weatherbug gadgets,housecall 6.6(I dont use) and what looked like"insecu web security"but Iam not sure thats what it said.I will follow your instructions above and post the results.thanks

Edited by mikemak, 07 April 2009 - 09:52 PM.


#6 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 08 April 2009 - 12:24 PM

yes I was infected with virusremover2009,mysearch(weatherbug)and weatherbug.I ran the drweb and it didnt find anything,do you still want me to post log?After doing that scan last night(2hours) I ran SAS in safe mode and found the virus remover2009,mysearch or 'SEARCH' and virusremover2009-mbam while running as admin.Removed those and right away loogged into my user account in safe mode,opened SAS and got the warning that my homepage was trying to be changed,I clicked to block change and scanned the user in safe mode with SAS and it found only tracking cookies and the 1 virusremover2009 without the mbam with it as above.It removed the virus as far as I know.Well no hangs,pop ups(which i never got),and after 2 more scans in safe on both accounts i think its gone but still not sure.I did see weatherbug gadgets and something else related to it during SAS scans but have looked in regedit and dont see any signs of it anywhere,but its there somewhere.I also saw wild tangent something and I thought I got rid of that junk a year ago.again I checked everywhere and cant find it.From what I see the 'SEARCH" is related to the weatherbug program that appeared in programs 3 days ago.I would really like to get rid of these.Will hjt find these?While I wait for your reply I will delete past system restores and I guess look for a new AV program because avira has let this virusremover2009 in 2 times now,not good.I think I might have to start paying for AV programs again.thanks for your help

#7 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 08 April 2009 - 03:54 PM

after I reboot and scan with SAS the virusremover2009 comes back.also something is adding administrators to account on both my laptops,well not mine anymore but the virus is returning.Just a note,I checked in user documents and found the swsetup shortcut for the fake admin folder I deleted yesterday,when I tried to delete it,says cant delete because its no longer there?Also in the same folder is a picture of a flower named "ordinary image' when I clicked on this picture it shows the symbol I described yesterday beside my yahoo address bar.Looks just like the bleeping computer icon,this is weird.At this point I am sure I have more problems.In program file folder,downloaded ie programs there is a activex download that just says unknown everywhere,and it says no uses?The alert from avira when I open our homepage sometimes says "HTML/rce.gen trojan".i hope you can help.thanks

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:18 AM

Posted 08 April 2009 - 07:18 PM

I have seen no logs, therefore I can offer no opinion. I'm not going to fly blind
Try posting a new topic and see if anyone else will pick up on it

Edited by garmanma, 08 April 2009 - 07:19 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 April 2009 - 03:46 PM

soory for the delay,I scanned both my laptops and my pc with dr web and I cant find the scan results?I opened notepad and its blank,you do mean notepad in the program files,correct?Also do I have to download and scan each user with drweb or just admin?heres the last mbam.In safe mode while scanning with drweb a red shield poped into bar saying "SERCURITY CENTER TURNED OFF"it wasnt and the icon went away when I restarted normal.
Windows 6.0.6001 Service Pack 1

4/10/2009 12:33:51 PM
mbam-log-2009-04-10 (12-33-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 178060
Time elapsed: 27 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 April 2009 - 03:48 PM

SAS SCAN
http://www.superantispyware.com

Generated 04/10/2009 at 01:06 PM

Application Version : 4.24.1004

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 00:32:03

Memory items scanned : 132
Memory threats detected : 0
Registry items scanned : 5543
Registry threats detected : 0
File items scanned : 39039
File threats detected : 0

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:18 AM

Posted 11 April 2009 - 07:23 PM

Full tutorial:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/


Please print out and follow these instructions: "How to use SDFix".
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 11 April 2009 - 08:17 PM

sd fix wont run.does it work with vista?It just flashes quickly when I try to open in safe mode.I tried the fix they have listed for xp/2000? but didnt workI did find the drweb scan,it didnt show anything but do you want me to post,its long do I post the whole thing here>?

Edited by mikemak, 11 April 2009 - 08:20 PM.


#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:18 AM

Posted 12 April 2009 - 04:57 PM

I don't know what else to suggest, othet than prepare to submit a HJT log
------------------------------------

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.


Good Luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 12 April 2009 - 06:44 PM

hi,what do you think is best ,a wipe/re-install vista or hjt and try to keep fixing.Just your thought on the matter?I dont have any files,pics,etc to worry about saving.I went in and deleted some reg. keys that are said to be related to the virus but cant find them all and cant locate the files anywhere.My only problems are a hang sometimes,I assume when the virus re-generates?and the red shield in the bar only when logged on admin in safe mode.Kinda strange the file SAS keeps finding says "virusremover2009-mbam",Is that malwarebytes?If it says the file is located in "c:\users\mike2\appdata\local\microsoft\windows\temp internet files\low\content.IE5\054f99m10\virusremover2009.jpg" why can I find this location?Well as always I have learned alot by reading here but I guess this one got me.I am off to search for good vista install instructions.thank you

#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:18 AM

Posted 13 April 2009 - 01:53 PM

If you have no problems with reinstalling the OS, that would be the best choice
A nice clean fresh start
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users