Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus that puts add links on sites I visit


  • Please log in to reply
10 replies to this topic

#1 sharetie

sharetie

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 02 July 2013 - 12:11 AM

URL: http://ad.adtegrity.net/st?ad_type Process: C:\Program Files (x86)\Google\Chrome\App... Infection: URL:Mal

 

Hi I think I have an infection.  My avast free anti virus keeps giving me pop ups saying as above.  I first noticed the virus on my own blog, when I noticed words had been turned into links that I had not made links of. When hovering on those words, a pop up add would come up.

 

I have windows 7 operating system.

 

I have been through all downloads and not noticed anything sus there, I have no updates to do.  I did try and download a movie a few weeks ago, so I guess that has been what caused it.

 

Silly me.  Please help, from Sharon.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:34 AM

Posted 02 July 2013 - 01:42 AM

Hello sharetie and Welcome -

 

:step1: Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

 

:step2: Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them.
NOTE : You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Double-click on the Rkill desktop icon to run the tool.

  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

 

:step3: Scan your machine with ESET OnlineScan
1.Hold down Control and click HERE to open ESET OnlineScan in a new window.
2.Click the ESET Online Scanner button.
3.NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

- 1.Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2.Double click on the ESET Online Scanner icon on your desktop.

 4.Check "YES, I accept the Terms of Use."
 5.Click the Start button.
 6.Accept any security warnings from your browser.
 7.Under scan settings, check "Scan Archives" and "Remove found threats"
8.Click Advanced settings and select the following:
Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

 9.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (1 to 2  hours is not unusual)
10.When the scan completes, click List Threats
11.Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12.Click the Back button.
13.Click the Finish button

 

 

Thhank You -


Edited by hamluis, 02 July 2013 - 04:10 AM.
Removed unnecessary remark - Hamluis.


#3 sharetie

sharetie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 02 July 2013 - 09:27 PM

Hi Aussie Addict, thanks for your quick response to my problem.  Here are the results from no1.

 

1. Results of screen317's Security Check version 0.99.68  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
avast! Antivirus                
Microsoft Security Essentials   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Java 7 Update 21  
 Java version out of Date! 
 Adobe Flash Player 11.6.602.180  
 Adobe Reader XI  
 Mozilla Firefox 21.0 Firefox out of Date!  
 Google Chrome 27.0.1453.110  
 Google Chrome 27.0.1453.116  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 


#4 sharetie

sharetie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 02 July 2013 - 09:36 PM

Here are the results from 2.  It didn't ask me to run as admin and it is a windows 7, op sys.  The first app did ask that.  Anyway here are the results

 

2. Rkill 2.5.3 by Lawrence Abrams (Grinler)

Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Invalid arguments ignored: familypc\Desktop\rkill.exe
 
Program started at: 07/03/2013 12:29:48 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\SysWOW64\astsrv.exe (PID: 2728) [WD-HEUR]
 * C:\Users\FEHERF~1\AppData\Local\Temp\IS1971~1\109779~1.EXE (PID: 6204) [SUP-HEUR]
 * C:\Program Files (x86)\WebCake\OptChrome.exe (PID: 4376) [FI]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]
 
Backup Registry file created at:
 C:\Users\Feher family pc\Desktop\rkill\rkill-07-03-2013-12-29-57.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 07/03/2013 12:30:26 PM
Execution time: 0 hours(s), 0 minute(s), and 37 seconds(s)


#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:34 AM

Posted 02 July 2013 - 11:11 PM

A few other scans to check first -

If you have any of these programs installed, they must be Updated first -

 

:step1: Download Malwarebytes' Anti-Malware Free (aka MBAM)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to reboot the computer after you post the log.

 

 

:step2: Download SUPERAntiSpyware Free (aka SAS)
* Double-click SAS -setup.exe and follow the prompts to install the program.
* At the end, be sure to Check for Updates to be sure it is current
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to reboot the computer after you post the log.

 

 

:step3: Please download Junkware Removal Tool by thisisu to your desktop
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

 

:step4: Please download AdwCleaner by Xplode onto your desktop.

*Close all open programs and internet browsers.
*Double click on adwcleaner.exe to run the tool.
*Click on Delete.
*Confirm each time with Ok.
*NOTE : Your computer will be rebooted automatically. A text file will open after the restart.

*Please post the contents of that logfile with your next reply.
*You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Thanks -



#6 sharetie

sharetie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 03 July 2013 - 04:15 AM

Hi here is the 3rd and final report that you requested
 
the front box said removed 23 of 26 infected files.
 
 
 
C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\_Setupx.dll probably a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\$RECYCLE.BIN\S-1-5-21-264487686-1739050437-2640628132-1000\$RRZ5P2O.exe Win32/DownloadAdmin.G application cleaned by deleting - quarantined
C:\Macromedia\Desktop\Joshua\SoftonicDownloader_for_morphvox-voice-changer.exe Win32/SoftonicDownloader application cleaned by deleting - quarantined
C:\Program Files (x86)\Common Files\DVDVideoSoft\AskTB\ApnIC.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Program Files (x86)\Common Files\DVDVideoSoft\AskTB\ApnToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Program Files (x86)\WebCake\WebCakeIEClient.dll probably a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}\_Setupx.dll probably a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Rev1XHD\JFrame\WorldMap\WorldMap.jar a variant of Java/JShrink.A application cleaned by deleting - quarantined
C:\RovaScapeCache7\JFrame\WorldMap\WorldMap.jar a variant of Java/JShrink.A application cleaned by deleting - quarantined
C:\Users\Feher family pc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7IUBJT2Q\WebCakesetup[1].exe multiple threats cleaned by deleting - quarantined
C:\Users\Feher family pc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OG18UC6B\WebCakesetup[1].exe multiple threats cleaned by deleting - quarantined
C:\Users\Feher family pc\AppData\Roaming\eIntaller\5D2EF7BDEC5946bfA536D5F3C8C4B093\eGdpSvc.exe a variant of Win32/ELEX.M application cleaned by deleting - quarantined
C:\Users\Feher family pc\AppData\Roaming\eIntaller\5D2EF7BDEC5946bfA536D5F3C8C4B093\eXQ.exe a variant of Win32/ELEX.D application cleaned by deleting - quarantined
C:\Users\Feher family pc\Desktop\setup.exe a variant of Win32/InstallCore.BX application cleaned by deleting - quarantined
C:\Users\Feher family pc\Documents\Terraria.v1.1.cracked-THETA.rar Win32/HackTool.Crack.B application deleted - quarantined
C:\Users\Feher family pc\Downloads\FreeStudio.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Feher family pc\Downloads\FreeYouTubeToMP3Converter.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Feher family pc\Downloads\PhotoScape_V3.6.3.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Feher family pc\Downloads\SciLorsGroovesharkcomDownloader.exe a variant of Win32/Somoto.A application cleaned by deleting - quarantined
C:\Users\Feher family pc\Music\iTunes\WinZipRegistryOptimizer.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined
C:\Users\Feher family pc\Pictures\Pics saved Aug\kitchen utensils graphics.exe a variant of Win32/InstallCore.BF application cleaned by deleting - quarantined
C:\Windows\Installer\c5a4ec.msi a variant of Win32/Bundled.Toolbar.Ask application deleted - quarantined


#7 sharetie

sharetie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 03 July 2013 - 04:25 AM

Hi just one quick question,  I noticed a couple of things that I use quite often in that list,

 

1. photoscape 

2. scilorsgroovesharkcomdownloader.exe

3. freeyoutubetomp3converter.exe

 

does this mean these are corrupt or contain virus's and i shouldn't download or use them again?

 

Again, thanks in advance for all your help.

 

Sharon



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:34 AM

Posted 03 July 2013 - 04:43 AM

photoscape seems to be OK -

 

I found 2 versions of SciLorsGroovesharkcomDownloader.exe and this is the result for both -
The file 'SciLorsGroovesharkcomDownloader.exe' 100.00% maybe a virus
This file is infected with: Riskware.WebToolbar.Win32.BetterInstaller.AMN

 

 

freeyoutubetomp3converter.exe - Is most likely an infected program. Remove it from Programs and Features unless it has an uninstaller
FreeYouTubeToMP3Converter.exe is known as Free Studio, it also has the following name FreeYouTubeToMP3Converter or or Free YouTube to MP3 Converter Look for any similar name and remove it -

 

You may need to Re-Scan your machine with ESET OnlineScan


Edited by noknojon, 03 July 2013 - 04:46 AM.


#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:34 AM

Posted 07 July 2013 - 03:34 AM

Hello sharetie -
Have you completed the last set of steps that I left for you ??
Please update me on your situation -

 

Thank You -

 



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:34 PM

Posted 07 July 2013 - 05:27 AM

Hi just one quick question,  I noticed a couple of things that I use quite often in that list,
 
1. photoscape 
does this mean these are corrupt or contain virus's and i shouldn't download or use them again?

No. Photoscape was removed because of Win32/OpenCandy.


OpenCandy is an advertising application distributed by the OpenCandy Software Network which displays ads in other programs. The use of advertisement is a way to promote software packages and recover development costs. OpenCandy is not installed on a computer, does not collect personally identifiable information and in most cases allows the user to choose whether or not to install advertised software recommended by the vendor. Although no personal information is collected, the software does collect anonymous statistics about events and other data during installation. See What information does OpenCandy collect?

This is what OpenCandy has to say about their product.

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development. The installer uses the OpenCandy plug-in to present a software recommendation...during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

What is OpenCandy?

The OpenCanday network has partnered with various popular and trusted software developers who bundle their product as part of the program's software installation package. A list of such developers can be found here. Some vendors will clearly advise the use of OpenCandy before downloading their software, while others may provide confusing or no information at all. An example would be SIW (System Information for Windows) which clearly indicates on their website the use of OpenCandy.


OpenCandy is an advertising application.

OpenCandy is similar to Google AdSense, except it displays advertisements in installation program instead of websites. These advertisements promote another software packages. The advertisements are selected by providers of software being installed. When user installing a software (SIW) chooses to install promoted package, revenue is generated and shared between OpenCandy and software providers (SIW developers).

SIW Home Edition is bundled with OpenCandy

OpenCandy is not a virus or malware. However, since it is responsible for displaying advertisements, it may be detected (and sometimes removed) by various anti-virus and other security scanning tools as Adware, a classification that broadly defines the term as any software package which automatically displays advertisements in any form in order to generate revenue. For example, the Microsoft Malware Protection Center (MMPC) detects the program as Adware:Win32/OpenCandy, a low level threat and so does McAfee.

In response to this detection, OpenCandy has provided the following information:For another opinion, you may want to read: OpenCandy: A New Kind of Adware/Spyware.

IMO, removal of OpenCandy detections is an optional choice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:34 AM

Posted 08 July 2013 - 08:50 PM

the front box said removed 23 of 26 infected files. <<The remaining items will be deleted on a reboot -
 
 Microsoft Security Essentials MSMpEng.exe 
 AVAST Software Avast AvastSvc.exe

You have 2 Antivirus programs running. Please select one to remove.

This can cause problems with your computer running correctly -

 

Thank You -

EDITED to list the 2 Antivirus programs for you -


Edited by noknojon, 08 July 2013 - 09:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users