Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting, Fake pop Alert,


  • Please log in to reply
16 replies to this topic

#1 Stayplaced

Stayplaced

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 26 March 2010 - 06:55 PM

Hi guys. i keep receiving this fake pop up alert. Here is the image to be more specific.

When i was about to post a introduction in this forums I received the pop up again. i noticed it mostly happens on forums.


Here is the image to be more specific.
Posted Image - The window+Message

Posted Image + Inside site.

I am not sure when i received this message the first time. It was about a week before i think. I knew exe files were not safe to download. Something about the wordings kept me away from it. However i was getting really annoyed by this, and i thought it might be the site or some sort. When i was browsing a different forum,it came up again i accidently hit allow instead of dont allow, and then all was a horrible nightmare. It downloaded setup.exe and automatically activated a fake virus protector antivirus, asking me to register to protect my system. I knew this was a fake, and i immediatly started scanning with malaware bytes- Anti malaware. It detected some items and asked for a reboot and i did. When i logged back in normal mode, the virus was not gone. Instead it covered up the whole desktop with the program running. I couldnt run task manager or anything. I restarted in safe mode with networking and tht didnt do the trick either. The virus protector covered my whole screen. I couldnt even get access to the desktop. Then i logged in my laptop trying to find a way to get rid of this. I found somewhere to restart in safe mode with cmd. In the site it said to type this on the notepad

[Version]
Signature="$Chicago$"
Provider=Myantispyware.com

[DefaultInstall]
AddReg=regsec

[regsec]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Winlogon,Shell,0x00000020,"Explorer.exe"

Save this as fix.inf to your Desktop (remember to select Save as file type: All files in Notepad). Close Notepad.

In the command prompt type Explorer.exe and Press Enter. Windows Explorer opens. Locate the fix.inf, click right button and select Install. Close Windows Explorer.

In the command prompt type shutdown -r and press Enter. Your computer will be rebooted.


This is what i did. Exactly. And when i rebooted in normal mode. I logged in to my user account and everything was working well. The virus protector didn't pop up. So i assumed it was over. When i was trying to surf the net i noticed some weird things. For example in google. When you search for a person like michael jackson, usually there is a picture, a video, and more detailed stuffs in the search. But for some reason google didnt search that way for me.

This is what it looks like when i surf. You can see some difference from the classic google search.

Posted Image

Sometimes it displays title like <b> title <b>. I dont have a screenshot of that :thumbsup:

Update: Screenshot: Posted Image

And my browser is very very slow. I know my pc can be slow without malaware. but iam pretty sure this has something to do with it. It takes a long time to click a link from google search, and sometimes it takes me to some ad sites. I have to click 2 times to get redirected to the original site. Sometimes when i google search i see like goodclickads, google-analytics when redirecting, in firefox I am not sure if iam explaining myself well. But i really am trying to. im not really good with computers:(. If someone can please assist me with this , it would be greatly appreciated. A lot of people are suggesting me to do a complete reboot. But if theres any other way to remove this Please suggest me. i have subscribed to this forum section, so i will be quick to respond.

Version- Windows Vista
Browsers- Safari, ie. Deleted firefox and googlecrome
Anti virus- ESET Nod 32 Anti virus

Also: Malwarebytes- Anti Malaware and superantispyware installed

Thanks in advance
~Chris

Edited by Stayplaced, 27 March 2010 - 12:18 AM.


BC AdBot (Login to Remove)

 


#2 lildrgn

lildrgn

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 26 March 2010 - 07:01 PM

I have the same pop up. NO clue what is going on and nothing seems to be working for me. Good luck!

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 27 March 2010 - 02:58 PM

Hi Stayplaced,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 27 March 2010 - 05:19 PM

hi elle. First off thanks for the prompt reply. I already have Malwarebytes' Anti-Malware installed in my system. I did a quick scan an hour ago? Please tell me if i should post a log of that. I have tried updating in the normal mode and safe mode with networking. it gave me this error.

Here is the pic when i try to update

Posted Image

I tried going to malwarebytes website , http://www.malwarebytes.org but it doesnt allow me to. In IE it says internet explorer cannot display webpage. I asked my friend if he could and he said it was working fine. I am guessing its the virus thats blocking it. I even tried going in safe mode and tried to update. But i recieve the same error. Anyways this is my current version of malawares bytes.

Posted Image

About root appeal. i downloaded and installed. When i opened it (in safe mode) this is a window that popped up.

Posted Image

I am not sure is this an error because im running in safe mode.

When i try to scan it says could not initialize driver. Please tell me should i start the RootRepeal scan in normal mode? I think because im in safe mode with networking its stopping it.

Here is the crash report of ROOTREPEAL from txt document.

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x00422bf2
Attempt to read from address: 0x00000004


Here is the MBAM log i took abut 1 1/2 hours ago
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 7.0.6001.18000

3/27/2010 4:27:01 PM
mbam-log-2010-03-27 (16-27-01).txt

Scan type: Quick Scan
Objects scanned: 137761
Time elapsed: 25 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Stayplaced, 27 March 2010 - 05:30 PM.


#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 27 March 2010 - 05:40 PM

Hi :thumbsup: ,



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 27 March 2010 - 06:07 PM

Thanks again for the prompt reply.

Here is the Anti spyware first log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2010 at 05:35 AM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:51:54

Memory items scanned : 822
Memory threats detected : 0
Registry items scanned : 8779
Registry threats detected : 0
File items scanned : 35798
File threats detected : 115

Adware.Tracking Cookie
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@adtech[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@content.yieldmanager[3].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@serving-sys[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@richmedia.yahoo[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@overture[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@msnportal.112.2o7[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@adinterax[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@ads.livewhenready[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@myroitracking[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@content.yieldmanager[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@advertising[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@msnservices.112.2o7[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@mediaplex[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@bs.serving-sys[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@insightexpressai[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@apmebf[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@casalemedia[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@clicksor[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@2o7[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@ad.yieldmanager[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@atdmt[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@doubleclick[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@atdmt[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@content.yieldmanager[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@content.yieldmanager[3].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@advertising[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@ads.ookla[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@richmedia.yahoo[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@casalemedia[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@ad.yieldmanager[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@doubleclick[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\Low\abhinav@apmebf[1].txt
C:\Users\Anil\AppData\Roaming\Microsoft\Windows\Cookies\anil@revsci[2].txt
C:\Users\Anil\AppData\Roaming\Microsoft\Windows\Cookies\anil@doubleclick[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@adfarm1.adition[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@media.adrevolver[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@tacoda[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@mediaplex[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@burstbeacon[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@ads.associatedcontent[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@linksynergy[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@collective-media[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@statse.webtrendslive[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@questionmarket[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@kontera[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@specificclick[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@fastclick[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@tracking.dc-storm[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@media303[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@zedo[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@bellcan.adbureau[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@associatedcontent.112.2o7[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@casalemedia[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@optimost[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@rotator.adjuggler[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@counter.surfcounters[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@at.atwola[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@clickbank[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@bet.burstnet[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@adecn[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@atdmt[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@azjmp[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@tribalfusion[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@chitika[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@burstnet[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@a.websponsors[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@a.websponsors[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@adbrite[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@ads.pointroll[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@www.burstnet[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@serving-sys[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@apmebf[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@adrevolver[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@pointroll[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@microsoftwlmessengermkt.112.2o7[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@smileycentral[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@insightexpressai[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@adviva[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@ad1.king[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@adcentriconline[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@trackalyzer[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@imrworldwide[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@247realmedia[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@ads.contactmusic[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@2o7[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@media6degrees[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@ads.ad4game[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@advertising[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@ad.yieldmanager[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@doubleclick[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@www.burstbeacon[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@bs.serving-sys[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@content.yieldmanager[3].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@commission-junction[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@content.yieldmanager[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@msnportal.112.2o7[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@statcounter[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@www.googleadservices[1].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\Low\podhi(richa)@yadro[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\podhi(richa)@atdmt[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\podhi(richa)@ad.yieldmanager[2].txt
C:\Users\Podhi(Richa)\AppData\Roaming\Microsoft\Windows\Cookies\podhi(richa)@content.yieldmanager[1].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@ad.wsod[2].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@apmebf[1].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@atdmt[2].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@bs.serving-sys[2].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@doubleclick[2].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@mediaplex[1].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@msnportal.112.2o7[1].txt
C:\Users\Ria\AppData\Roaming\Microsoft\Windows\Cookies\Low\ria@serving-sys[2].txt

Trojan.Agent/Gen-PennyStockChaser
C:\PROGRAM FILES\ATOMPARK\ATOMIC ZIP PASSWORD RECOVERY\US.EXE

Application.Agent/Gen-TempZ
C:\PROGRAMDATA\{36EE58FF-EC14-4448-ABC6-93E498C17B9D}\OFFLINE\MFILEBAGIDE.DLL\BAG\STBREAIM.EXE
C:\PROGRAMDATA\{36EE58FF-EC14-4448-ABC6-93E498C17B9D}\OFFLINE\MFILEBAGIDE.DLL\BAG\STBREWLM.EXE
C:\PROGRAMDATA\{36EE58FF-EC14-4448-ABC6-93E498C17B9D}\OFFLINE\MFILEBAGIDE.DLL\BAG\STBRUNWLM.EXE
C:\PROGRAMDATA\{36EE58FF-EC14-4448-ABC6-93E498C17B9D}\OFFLINE\MFILEBAGIDE.DLL\BAG\STBTERM.EXE



Here is the latest scan of SAS taken today.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/27/2010 at 06:46 AM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 1978

Scan type : Quick Scan
Total Scan Time : 00:36:20

Memory items scanned : 875
Memory threats detected : 0
Registry items scanned : 882
Registry threats detected : 0
File items scanned : 27076
File threats detected : 15

Adware.Tracking Cookie
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@adtech[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@content.yieldmanager[3].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@serving-sys[2].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@richmedia.yahoo[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@overture[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@myroitracking[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@content.yieldmanager[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@bs.serving-sys[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@www.stopzilla[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@stopzilla[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@clicksor[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@xml.trafficengine[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@ad.yieldmanager[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@atdmt[1].txt
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Cookies\abhinav@doubleclick[1].txt

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 27 March 2010 - 06:29 PM

Hi Stayplaced,


We need to use the RKill Too by Grinler
  • Link #1
    Link #2
    Link #3
    Link #4
  • Please Download Link #1. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double click the RKill desktop icon to run the tool.
  • If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
NOTE:
1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.
*If the tool does not run from any of the links, Please tell me about it.




Try running the downloaded MalwareBytes definitions and if it works, please run a FULL scan of it.




Elle

Edited by Blind Faith, 27 March 2010 - 06:44 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 27 March 2010 - 08:19 PM

Hi .

Malware's still doesnt run.

Here is the rkill logs

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Abhinav on 03/27/2010 at 21:17:48.


Processes terminated by Rkill or while it was running:


C:\Users\Abhinav\Desktop\rkill.pif


Rkill completed on 03/27/2010 at 21:17:49.



#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 27 March 2010 - 08:26 PM

Hi Stayplaced,



* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Elle

Edited by Blind Faith, 27 March 2010 - 08:33 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 27 March 2010 - 09:23 PM

I have cleared all the cache and cookies in my browsers, safari and internet explorer. However i couldnt run the kapersky online scanner. They said they dont have one at the moment.

Posted Image

#11 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 March 2010 - 12:56 AM

Hey blindfaith. i finally got malwares working. i reinstalled the new version link 1 and it worked:).

Here is the new updated log. Performed quick scan. Amazingly 39 infections were detected. Keeping it short heres the log


Malwarebytes' Anti-Malware 1.44
Database version: 3913
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/28/2010 1:45:07 AM
Mbam log file new updated

Scan type: Quick Scan
Objects scanned: 160050
Time elapsed: 16 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\AutocompletePro\AutocompletePro.dll (Adware.PredictAd) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{01bcb858-2f62-4f06-a8f4-48f927c15333} (Adware.PredictAd) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{c9ae652b-8c99-4ac2-b556-8b501182874e} (Adware.PredictAd) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0fb6a909-6086-458f-bd92-1f8ee10042a0} (Adware.PredictAd) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0fb6a909-6086-458f-bd92-1f8ee10042a0} (Adware.PredictAd) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0fb6a909-6086-458f-bd92-1f8ee10042a0} (Adware.PredictAd) -> No action taken.
HKEY_CLASSES_ROOT\AppID\AutocompletePro.DLL (Adware.PredictAd) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\support@predictad.com (Adware.PredictAd) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.113,93.188.166.97 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{198fa8ae-5f7c-4008-a328-1646bcdedc24}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.113,93.188.166.97 -> No action taken.

Folders Infected:
C:\Program Files\AutocompletePro (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\defaults (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\defaults\preferences (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\META-INF (Adware.PredictAd) -> No action taken.

Files Infected:
C:\Program Files\AutocompletePro\AutocompletePro.dll (Adware.PredictAd) -> No action taken.
C:\Windows\System32\ah04h8gqo.exe (Rogue.Multiple) -> No action taken.
C:\Windows\System32\aPVVmDEIu.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\AutocompletePro\InstTracker.exe (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\unins000.dat (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\unins000.exe (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome.manifest (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\install.rdf (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\options.js (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\options.xul (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\chrome\content\utils.js (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\META-INF\manifest.mf (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\META-INF\zigbert.rsa (Adware.PredictAd) -> No action taken.
C:\Program Files\AutocompletePro\support@predictad.com\META-INF\zigbert.sf (Adware.PredictAd) -> No action taken.
C:\Users\Abhinav\AppData\Roaming\avdrn.dat (Malware.Trace) -> No action taken.
C:\Users\Abhinav\AppData\Roaming\fvgqad.dat (Malware.Trace) -> No action taken.

i didnt do the removal process yet.

Edited by Stayplaced, 28 March 2010 - 12:57 AM.


#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 28 March 2010 - 04:46 AM

Hi again Stayplaced,



So please scan again and remove them all :thumbsup: . (post the log)


Please also tell me how the system is doing after cleaning the infections :flowers: .

EDIT: Also, please excuse me, the right link for the Kaspersky Online Scanner is this this one.

Run this scan as well and please excuse me.


Elle

Edited by Blind Faith, 28 March 2010 - 08:38 AM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 March 2010 - 10:08 AM

ok. first i did a quick scan after downloading latest version It found the files as i posted log before.. Asked for a reboot i did it. Do you want the clean log of mbam. it basically says which files it deleted..

The system is running great. No pops up YET. I am not sure its fully gone.

I scanned with full scan and 4 items were detected. And this is the log.

Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/28/2010 5:53:10 AM
mbam-log-2010-03-28 (05-53-10).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 405922
Time elapsed: 2 hour(s), 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Abhinav\Desktop\all folders\Shortcut to folders\PS CD3\Adobe_Photoshop_CS3\Msvcrt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Abhinav\Desktop\all folders\Shortcut to folders\PS CD3\Adobe_Photoshop_CS3\Shfolder.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Abhinav\Documents\My Downloads\LyricsPro(1).exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Users\Abhinav\Documents\My Downloads\LyricsPro.exe (Adware.PredictAd) -> Quarantined and deleted successfully.

I am doing a kapersky scan right now

#14 Stayplaced

Stayplaced
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 March 2010 - 03:35 PM

Kapersky scan log

KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, March 28, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, March 28, 2010 12:17:40
Records in database: 3888465
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area Critical areas
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\Abhinav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows
Scan statistics
Objects scanned 151761
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 01:21:12

File name Threat Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
Selected area has been scanned.

#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:23 AM

Posted 29 March 2010 - 06:47 AM

Hi,

Some things to fix.


Let's manually reset your DNS.

Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

Right-click the connection that you want to change, and then click Properties. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

To obtain a DNS server address automatically, click Obtain DNS server address automatically, and then click OK.

Click Start - Run. The Run dialog box will open.
Type cmd in the box and click Enter. A DOS window will open.
Type ipconfig /flushdns <=Note the spacing
Reboot your computer!


Post back a reply telling me if it worked and how the system is doing.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users