Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Casino add on google homepage


  • Please log in to reply
18 replies to this topic

#1 I like Pie

I like Pie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 07:24 PM

Hi

I made a rather silly mistake a few months ago, I ran a bad exe file...

my expired version (expired around feb 2009, no longer receiving updates since then) of Kaspersky caught some things immediately which were deleted after. I unplugged my computer to instantly shut it off to hopefully avoid the spread of whatever the virus was.

I am running windows XP

Upon restarting I initially could not even get into kaspersky to run it, but that problem seemed to fix itself and after I ran it, it removed some stuff. I also ran CCleaner and spybot search and destroy. They all removed some things.

The only thing I notice that still remains after this is on the google homepage, below the traditional search engine, there is an add for a casino, written in the same style text as google. I uninstalled firefox and reinstalled it with no change to this effect. Upon checking google via a different computer this casino add is unique to my machine
The casino add is variable, sometimes there is one, two identical ones, or google is unable to load.

I also upon shutting down the computer briefly get a warning stating that a registry value has been modified, and I have the choice to allow or deny this. However the button to deny this is unclickable for the several seconds this warning shows between the time I hit shutdown, and the time the somputer turns off.

Both these warnings are new since I used the bad exe file

Due to work I avoided trying to fix this for the last 4 months

Today I ran kaspersky (outdated still) scanning the following areas (options available on the kaspersky program)
Critical areas: nothing found
My computer: nothing found
Startup objects: nothing found
rootkit scan:nothing found

Looking at the live protection logs of kaspersky for the past several days, it seems something is trying to access kaspersky on a daily basis.
I have shown screenshots of kaspersky warnings. As well as running processes. Also attached is what google homepage looks like.

Posted Image
Posted Image
Posted Image

Thank-you in advance for any help!

Edited by I like Pie, 20 December 2009 - 07:25 PM.


BC AdBot (Login to Remove)

 


#2 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:01:46 AM

Posted 20 December 2009 - 07:34 PM

I like pie ,

Malware Bytes << download install and quick scan
Microsoft Certified Desktop Support Technician

#3 I like Pie

I like Pie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 07:53 PM

Just remove selected or do you need any other info prior to that?

Posted Image

#4 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:01:46 AM

Posted 20 December 2009 - 07:56 PM

Remove
Microsoft Certified Desktop Support Technician

#5 I like Pie

I like Pie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 08:19 PM

Done that, I got this showing up though
Posted Image

#6 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:01:46 AM

Posted 20 December 2009 - 08:25 PM

Allow , thats spybot asking if it sok to do what malwarebytes is trying to do , it may do it several times
Microsoft Certified Desktop Support Technician

#7 I like Pie

I like Pie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 08:28 PM

Awesome! No issues on the google page anymore!! Thank you so much!

Anything else I need to do to clean up any remaining infection that could have less visible effects?

#8 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:01:46 AM

Posted 20 December 2009 - 08:31 PM

What Anti Virus you running ?

i also suggest you run ATF

to clean all temp files ect...
Microsoft Certified Desktop Support Technician

#9 I like Pie

I like Pie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 08:41 PM

Running kaspersky internet security but expired, so no updates since ~feb of this year

ATF cleaner said 0 files removed...
So I ran ccleaner and it removed a bunch of stuff

#10 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:01:46 AM

Posted 20 December 2009 - 08:46 PM

Ahh fair enough CCleaner good choice , Please look at the downloading free anti virus Avast , most probabley would have stopped this from happening
Microsoft Certified Desktop Support Technician

#11 I like Pie

I like Pie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 08:51 PM

In any case as this seems fixed, I must thank you :thumbsup:

In an ironic twist, the exe file that gave me this virus in the first place was supposed to be a new download of kaspersky, but the website lied. Do you have a reccomended download link for avast?

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 20 December 2009 - 08:55 PM

Could you please post your Malwarebytes log for me? It can be found under the "Logs" tab of the program.
Computer Pro

#13 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:01:46 AM

Posted 20 December 2009 - 08:55 PM

http://www.avast.com/eng/download-avast-home.html
Microsoft Certified Desktop Support Technician

#14 I like Pie

I like Pie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 20 December 2009 - 08:57 PM

re: avast link: Thanks!

re: log from malwarebites
Malwarebytes' Anti-Malware 1.42
Database version: 3399
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/20/2009 6:06:32 PM
mbam-log-2009-12-20 (18-06-32).txt

Scan type: Quick Scan
Objects scanned: 122499
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\23100968.dll (LSP.Hijacker) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\23100968.dll (LSP.Hijacker) -> Delete on reboot.

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 20 December 2009 - 08:58 PM

Thank you for the log. After you have downloaded Avast, please do the following.

I see that you are running Windows XP Service Pack 2. The Latest Version is Service Pack 3. Running an outdated service pack exposes your computer to numerous security vulnerabilities. This may be why you got the virus that you received. It got through a security hole.

To fix these security holes, please visit the Microsoft Windows Update site.

http://windowsupdate.microsoft.com/

Make sure to run the updating tool until all of the updates that it says are needed are installed. This may require a reboot after a set of updates, and then visiting the site again, there may be another set. Do this until the number of updates reaches 0 under the High Priority Updates.

Running the updating tool will patch all of those security vulnerabilities and prevent possible future attacks.


Let me know after you have done this.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users