Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this a virus?


  • Please log in to reply
6 replies to this topic

#1 Farrah2

Farrah2

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 08 December 2012 - 07:52 PM

Hi

I received a pop up box staying that Microsoft security essentails has detected potenital threats that might compromise my privacy or damage my computer. I clicked on 'clean computer' thinking it was legit. I've since become aware it might be fake. I can't copy and paste a screen dump, but the url that appears on the pop up box page is http://domainsrandomsswopp.info/?affid=00333&promo_type=7&promo_opt=1

The program downloaded from clicking the 'clean computer' button is freescan_2012.exe

Is this a fake and if so, how can I remove it?

You assistance is appreciated.

BC AdBot (Login to Remove)

 


#2 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:06 AM

Posted 11 December 2012 - 02:51 PM

The URL look bogus to me. Lets try a scan or two and see what we find.

Please Download Malwarebytes AKA MBAM

Update Malwarebytes via the update tab.
Run a full scan
When the scan finnishes please select Remove Selected and make sure all of the boxs are checked
Please post the results

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to
include the top portion which shows MBAM's database version and your operating system.




Download

ESET online scanner

Install it

Click on START, it should download the virus definitions
When scan completes, click on LIST of found threats

Export the list to desktop, copy the contents of the text file in your reply
You may not get a listing if nothing is found

#3 Farrah2

Farrah2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 13 December 2012 - 07:03 AM

Thanks for your reply. The day I posted my question, I did a scan through MBAM. I've posted the log below (it found something). Since reading your reply, I've done another scan and followed your instructions. I've posted the results below.

Log from scan on 9 december:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.06.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Farrah :: FARRAH-PC [administrator]

9/12/2012 12:33:00 PM
mbam-log-2012-12-09 (12-33-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228772
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Farrah\Downloads\freescan_2012.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

(end)


The scan I ran today after reading your reply finished with this log:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.06.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Farrah :: FARRAH-PC [administrator]

13/12/2012 7:02:14 PM
mbam-log-2012-12-13 (19-02-14).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 419041
Time elapsed: 1 hour(s), 44 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I then did the ESET scan and this was the list of threats found:

C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application unable to clean
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application unable to clean
C:\Program Files\1ClickDownload\uninst.exe Win32/Adware.1ClickDownload application cleaned by deleting - quarantined
C:\Program Files\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Users\Farrah\AppData\Local\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Users\Farrah\AppData\Local\Temp\YontooSetup-Silent.exe Win32/Adware.Yontoo application cleaned by deleting - quarantined
C:\Users\Farrah\AppData\Local\Temp\YontooLayers\background.html Win32/Adware.Yontoo.C application cleaned by deleting - quarantined
C:\Users\Farrah\AppData\Roaming\Mozilla\Firefox\Profiles\79193xpb.default\extensions\plugin@yontoo.com\content\overlay.js Win32/Adware.Yontoo application cleaned by deleting - quarantined
C:\Users\Farrah\Downloads\Pinks_DVDrip_ENG_3D_cartoons.exe multiple threats cleaned by deleting - quarantined


Thanks for your help.

#4 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:06 AM

Posted 13 December 2012 - 08:36 AM

The only thing that really is much to worry about is the "program" that you downloaded. Did you run the app after your downloaded it?

Have you run a scan with your AV? Microsoft Security Essentials (MSE), assuming that is your AV?

Are you still having the trouble you mentioned before or anything else?

#5 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:06 AM

Posted 17 December 2012 - 11:09 AM

If you need any further help please PM me.

#6 Farrah2

Farrah2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 17 December 2012 - 07:22 PM

Thanks!

I think it's all good now. I ran a scan with my AV which found nothing. I did a scan with Super anti-spyware and it found something and removed it. Then I did another scan with ESET and it came up clean.

On another note, I've found on the net info that even after the computer is cleaned, the Windows registry can be corrupted and that it should be fixed with a program called RegTweaker. I read about it here: http://www.removespywareguides.com/sdsetup-exe-how-to-remove.html

Do you recommend I download this RegTweaker thing?

#7 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:06 AM

Posted 17 December 2012 - 08:40 PM

I am personally not a big fan of registry tweaking apps. I have found, and I think that others here would agree, that they can and typically cause more harm than good. The registry is one of those things best left alone unless there is no other option, it links and controls so much stuff. Hope this helps. Glad to hear you are back up and running!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users